On 30/06/16 06:34, Peter Bowen wrote:
I think there is confusion over the generic term “Symantec”. There is no issue
for Symantec (the company) to be an affiliate of the USG FPKI and to operate
CAs mutually cross-certified with the USG FPKI. Additionally there is no issue
with Symantec (or anyone else) to operate CAs included in the Mozilla trust
anchor list.
Where there is a problem, as Richard pointed out, is when a CA in the Mozilla
trust anchor list issues a cross-certificate to a CA mutually cross-certified
by the USG FPKI. The Mozilla policy is that every CA that is the subject of a
cross issued by a CA in the Mozilla trust anchor list must comply with Mozilla
policy. This is recursively true as well — “grandchild”, “great-grandchild”,
etc CAs must comply with Mozilla policy.
Instead of revoking the Symantec SSP to Federal Bridge certificate, Symantec
could instead revoke these two certificates to separate the USG FPKI from their
Mozilla trusted CAs:
https://crt.sh/?id=2733031
https://crt.sh/?id=12722020
After a CA has disclosed an intermediate cert as revoked, how long does
it take for that revocation to be added to OneCRL and for the majority
of Firefox clients to pick up that updated OneCRL?
The cross-certificate issued by Symantec to "Federal Bridge CA 2013"
(https://crt.sh/?id=12638543) expires in 1 month. I'm wondering if
there's any point in revoking this intermediate or the two other
intermediates that Peter mentioned.
This is probably a better option and would avoid the issues you raised before.
Thanks,
Peter
On Jun 29, 2016, at 10:18 PM, Myers, Kenneth (10421)
<[email protected]> wrote:
Thanks Eric.
1) Mutual trust is dependent on an exchange of certificates as outlined in
the MOA and not the receipt. If one is removed, both must be removed per the
MOA. It is currently being discussed to allow only a certificate receipt
because mutual trust is a fundamental principle of the Federal Bridge. Revoking
the certificate breaches the agreement. The IdenTrust CA is operated under a
different program which coincidentally removed the certificate exchange
requirement around the same time it was brought up in the forum and in the FPKI
SSL testing.
2) The federal bridge is an identity hub and not an anchor. Trust is
established through the cert chain to Federal Common Policy and not through a
trust bundle or a trust store. Its purpose is to connect organizational PKIs so
an affiliate or federal agency can continue to use their root CA as a trust
anchor without the need to install other roots. By entering into an agreement
with the Federal Bridge, all affiliates (Symantec included) recognize they
trust certificates issued by other affiliates of the Federal Bridge based on
the policy mapping in certificate exchange. All certificates are issued against
the same criteria as outlined in the Federal Bridge CP and mapped to affiliate
CPs.
Ken
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
